Port 443 traffic bypass Squid Web Proxy

[vico1959]

I am trying to figure out if there is a host exclude list when using the Squid Proxy. Basically I have a server behind the firewall that needs an unfiltered port 443 access to download updates from IBM. It will not work through any sort of proxy as it has to have its own certificate and such so it needs a direct connection. Is there any way that I can bypass the Squid proxy for a particular host behind the firewall like that?

[bartjsmit]

Put the host on a different subnet/VLAN. If your security policy involves Squid, you need to securely handle exceptions. Any client on the LAN can spoof an IP on the exception list if they share a subnet.

[vico1959]

Well, the issue with that is this is a production server with our main app on there so it needs to be completely accessible by clients on the network. I could do some fancy routing configurations and it "might" work but this is an old AS/400 app and there are a lot of hard coded IP settings in there and if it is even possible to get working, support would never support it when there was an issue. Besides, it would be so much easier to have an exclude option in the proxy for specific hosts for these situations. I understand the security concern but I'm just using the web filtering to keep the honest folks out of trouble anyway because anyone who really knows what they are doing can find other ways.

[Monviech (Cedrik)]

You can clone the port forward rule that Redirects clients to squid.

You put that rule before the other (squid) Port forward rule, and enable "No RDR (NOT)" and specify the "Source" to an Alias that contains all the IPs in your network that should not go to the proxy.

[vico1959]

Sorry for my late reply, I got inundated with some more pressing projects. Thank you, that sounds like a good possible work around. I appreciate your input.